I was wondering if it's possible to take a url request from an external server, process, and then return to the requester a different url. (specifically a media file)
For example: www.example.com/index.php?var1=blue&var2=green
I'd like to be able to use that url to access a media file hosted on the example.com server. I don't have access to code on the requesting site, so my php site index.php will need to take that url request and process based on the get vars, and the correct media file will be presented to the external site.
How about doing a redirect using header:
if (isset($_GET["var1"]) && $_GET["var1"] === "blue"){
header('Location: YOUR_BLUE_CONDITION_URL');
}else if (isset($_GET["var2"]) && $_GET["var2"] === "green"){
header('Location: YOUR_GREEN_CONDITION_URL');
}
As #Fred noted below, make sure you do not output anything prior to modifying the headers.
Related
I have a MediaWiki 1.32.0 website. MediaWiki website directories contains the file LocalSettings.php in which one could write global custom PHP.
As a non PHP programmer I ask if there is some PHP command I could use to restrict access to a certain existing webpage, by that webpage's URL, so that any web request to create it('s HTML) would be denied, either resulting in some 404-like HTTP status code, or a redirection to homepage, as long as that command appears in LocalSettings.php?
I would prefer a PHP way instead an Apache PCRE directive in .htacess. Also, I should note that the URL is already blocked by robots.txt.
You can get the requested URL in PHP like this:
$_SERVER['REQUEST_URI'];
And deny access to a page like this:
$url = $_SERVER['REQUEST_URI'];
if ($url == "/wiki/blocked_page") die('404 error here');
Or redirect to your home page like this:
$url = $_SERVER['REQUEST_URI'];
if ($url == "/wiki/blocked_page") header('Location: /');
Note: request_url is everything after your domain name.
If your URL is https://example.com/wiki/blocked_page request_url would return "/wiki/blocked_page".
I have a subdomain which I want to forward to a changing url for post requests.
The changing url can be obtained using a php script I have.
Example:
My subdomain:
subdomain.website.com
Php script:
website.com/getsite.php
I want the "subdomain.website.com" to redirect to whatever url is in the php script (it changes frequently), all this while forwarding post requests back and forth.
How can I achieve this? NodeJs? Php script? I am at a loss on how.
use $_SERVER ['HTTP_HOST']. It is your domain/subdomain.
if ($_SERVER ['HTTP_HOST'] == 'subdomain.website.com') {
Header ("Location: http://website.com/getsite.php");
exit();
}
I've been trying to get the URL (including GET parameters) of a site that is displaying my image. This is because I want to extract one parameter of the URL.
A friend told me that she knew someone that could achieve this, but I don't know if he was doing it with an image. Also I don't think I can do it with a link because when going to external sites it will appear a warning page saying that you're being redirected outside, so if I put a link to my page and someone clicks, I will get the referrer URL of redirection warning page. I can't assure if my friend was telling the truth about this, but it's very likely that it was true.
All I could get with the image was the IP and other things of the HTTP header, but the referrer part is empty and I thought that the referrer contained the full URL I'm talking about.
This is what I have tried.
First the img tag in the other site in BBCode:
[img]http://______.com/get_image.php?i=myimage[/img]
And in my site this script in PHP, although any language that does the work would be good for me:
<?php
// Get name of image to be displayed (non-sanitized here for simplicity)
$filename = $_GET["i"];
// Here I want to get the site where image is being viewed
if (!empty($_SERVER['HTTP_REFERER'])) {
$visitor_url = $_SERVER['HTTP_REFERER'];
} else {
$visitor_url = "none";
}
// And write the referrer to a file just to test if it works
$fp = fopen('referer.txt', 'w');
fwrite($fp, $visitor_url);
fclose($fp);
// Eventually display the image
header('Content-Type: image/png');
readfile($filename . '.png');
?>
So my questions are:
Is it possible to get full URL of a site that is displaying my image?
If not, is there any other method to get the full URL?
Thank you in advance.
Note: I don't have any permision in the other site where I'm posting the image, I'm just an user there. Please tell me if I'm missing something or I have to ask this in another way, I'm new to StackOverflow.
Try REMOTE_HOST instead of HTTP_REFERER:
// Here I want to get the site where image is being viewed
if (!empty($_SERVER['REMOTE_HOST'])) {
$visitor_url = $_SERVER['REMOTE_HOST'];
} else {
$visitor_url = "none";
}
The web server where you are serving the image will need to be configured properly. If using Apache, this is with HostNameLookups On.
See http://php.net/manual/en/reserved.variables.server.php
Normally browsers are sending full referer with all URL components including query parameters - $_GET params. If they don't then there is no other way to achieve that URL while passing throught an image content.
Sometimes sending referer may be blocked, for eg. in some batch URL processing using some crawler like program/script or on some proxies.
In PHP receiving referer is done by $_SERVER['HTTP_REFERER'] because it's normally just http header from request and it's the only $_SERVER array key with referer info.
You added the .htaccess tag so I think you're using the Apache web server. If you'd like to prevent the issue entirely, you can disable hotlinking entirely by going one layer lower. Instead of managing in PHP, you can configure the web server to not serve content to domains other than the one you are hosting.
Check out the guide for more details.
I fixed this problem by switching my site (where image is hosted) to HTTPS. The code in my question was doing its job correctly.
It looks that HTTP_REFERER was blank because of it coming from an HTTPS site and my site being HTTP it would always send it blank. I was aware that it could be a problem, but didn't make much sense for me because HTTP_REFERER was also blank when coming from another HTTP site (which I think it's not normal) so I thought the error was in another place.
Usually HTTP_REFERER is sent when it comes from and goes to:
from HTTP to HTTP
from HTTPS to HTTPS
from HTTP to HTTPS
But it's not sent when it comes from and goes to:
from HTTPS to HTTP
And in my case, I don't know why, it wasn't being sent from HTTP to HTTP which was confusing me.
What I'm trying to do is use PHP to redirect from web site A to web site B (both are different domains), but I want the referrer in the HTTP headers to be set to web site A (the page that performed the redirect). So, that is, web site B will see web site A as a referrer.
You can use something like <meta http-equiv="refresh" content="1;url=http://siteb.net"> on your site A.
I'm pretty certain that the sending the referrer is ultimately up to the web browser, not PHP.
You could probably send the address via $_GET though.
Edit: You won't be able to change the referrer (misread the post, derp).
I've checked using localhost and a dummy script. The browser does send the referer in the HTTP even at redirections.
To test this, I created a script called testRefererRedirect.php:
<?php
if($_GET['a']){
if($_SERVER['HTTPS'] && $_SERVER['HTTPS'] != 'off'){
echo $_SERVER['HTTP_REFERER'];
}else{
header('Location: https://localhost/testrefererredirect.php?a=1');
}
}else{
echo 'test';
}
To emulate cross domains, I used HTTP and HTTPS for my local server.
On first load, the page will show a link: I will click this link to allow the browser to send the referer in the headers. Next, because I load the page initially in HTTP the header function will be called. Finally, the HTTP referer header meant for the 2nd step showed up in the 3rd step.
Conclusion
You can safely use $_SERVER['HTTP_REFERER'] on website B to capture the refer information meant for website A if you do redirection on website A.
I have several pages inside an AJAX directory. I don't want these pages accessible directly so you cannot just type in the URL of the page within the AJAX directory and access it. I "solved" this by using a PHP session on the page that calls it as follows:
Main page:
<?php
session_start();
$_SESSION['download']='ok';
?>
and on the ajax page I have this:
<?php
session_start();
if($_SESSION['download']!=='ok'){
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit;}
?>
The only problem is that if a user goes through the correct process once, the cookie is stored and they can now access the page directly. How do I kill the session once they leave the parent page?
thx
why use session ?
if i understood what you want:
<?php /// Is ajax request var ?
if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
if (strtolower($_SERVER['HTTP_X_REQUESTED_WITH'])=="xmlhttprequest") {
// do your ajax code
} else {
// redirect user to index.php since we do not allow direct script access, unless its ajax called
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit();
}
} ?>
A really simple solution is to open up each of the files you want to protect from direct URL entry & add the following to the top:
<?php if (isset($_GET['ajax']) != true) die();?>
Now get rid of your redirect script since it's useless now. You don't need to use sessions for this. Every time you request a page, use it's direct URL, just add ?ajax=1 to the end of it.
By adding the ?ajax=1, PHP will set a key of 'ajax' to the $_GET global variable with the value of 1. If ?ajax=1 is omitted from the URL then PHP will not set a key of 'ajax' in $_GET and thus when you check if it's set with isset() it will return false, thus the script will die and not output anything. Essentially the page will only output data if ?ajax=1 is at the end of the URL.
Someone could still "spoof" the URL and add '?ajax=1' themselves, but that is not the default behavior for people or web browsers. If you absolutely need to prevent this then it will be much more complicated, e.g. using templates outside of a publicly available folder. Most other "simple" solutions will have the same "spoofing" potential.
There's really no way to accomplish this with a 100% certainty - the problem is, both AJAX and regular web browser calls to your web site are using the same underlying protocol: HTTP. If the integrity and security of your site depends on keeping HTTP clients from requesting a specific URL then your design is wrong.
so how do you prevent people from directly accessing files inside certain directories while still letting the site use them??
Create a controller file. Send all AJAX requests to this controller.
ajax-control.php
<?php
$is_ajax = true;
include "ajaxincludes/test.php";
// ... use the ajax classes/functions ...
ajaxincludes/test.php
<?php
if (!isset($is_ajax) || !$is_ajax)) {
exit("Hey you're not AJAX!");
}
// ... continue with internal ajax logic ...
If clients try to access the file directly at http://mysite/ajaxincludes/test.php they'll get the error message. Accessing http://mysite/ajax-control.php will include the desired file.
I don't think there is a surefire way to do what you are asking, since HTTP request headers can be faked. However, you can use $_SERVER['HTTP_REFERER'] to see if the request appears to be coming from another page on your site.
If the rest of the security on your site is good, the failure of this method would not grant the user access to anything they were not already able to access.
I've never tried this but maybe you could do something with jQuery's .unload() and then call a PHP page to unset() the session.
Why not (on Ajax page):
session_start();
if($_SESSION['download']!=='ok'){
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit;
}
// do whatever you want with "access granted" user
// remove the download flag for this session
unset($_SESSION["download"]);